Report security issues privately via the repository's GitHub Security Advisories ("Report a vulnerability"). Do not open a public issue for a suspected vulnerability.

This is reference governance IP with zero runtime dependencies. The primary security surface is the integrity of the audit chain and the fail-closed posture of the production-mode controls. See FAILURE-MODES.md for the trust-boundary model and LIMITATIONS.md for what is in and out of scope.

The latest released minor version receives security fixes.